Symantec Access Management

Expand all | Collapse all

SPS: Configure Web Services Authz

  • 1.  SPS: Configure Web Services Authz

    Posted Aug 21, 2015 11:31 AM

    Good morning all,

     

    I'm trying to configure SPS WS Authz for a simple web-site. I would like to be able to use ws-authz to protect a simple site/app www.company.com/app.

     

    I have followed the instructions for Configuring the Authentication and Authorization web services, but I must have done something wrong because server.log shows that they fail to come initialize:

     

    396:[21/Aug/2015:10:56:21-737] [INFO] - Loading Virtual Host: WebServicesAgentVirtualHost

    723:[21/Aug/2015:10:58:13-158] [FATAL] - [ERROR] Agent for virtual host : WebServicesAgentVirtualHost did not initialized properly

     

    I am trying to protect a simple webpage : www.company.com/app

     

    I'm running apache websever and the apache web-agent.

    I have configured an agent,domain, realm, rules, userdir & etc to protect the www.company.com/app with HTTP BASIC AUTH. This works. I can go to www.company.com/app in the browser and get thru by presenting credentials.

    Do I even need to do this? Does my /app need to be protected in this manner in order for web-services auths to work?

     

    After doing so, I made a copy of the AuthzWebServices ACO to use when turning the authz Web Services on:

    Create an ACO for the Web Services

    You can manage the web services through an ACO. To use the web services, you must enable the enableauth parameter or the enableaz parameter or both.

    Follow these steps:

    1. Create an ACO that is based on the AuthAzServiceDefaultSettings template in WAMUI.
    2. Configure the following parameters:
      • AgentName
        Defines the names of the web agent that protects a resource. You can define one or more web agents where each web agent protects an application. Enter a multi-value pair in the following format:

           Ok so www.company.com/app is running apache, with an apache web agent protecting it. Is this the wrong way to do this? What type of agent should protect /app?

        agent_name,appID <- I used the apache-agent I had used to protect /app with basic auth, entered "app" for appID. Confused about the purpose of appID. What should I specify here?

         

         

        • agent_name
          Defines the name of the web agent that protects a resource.
        • appID
          Defines the reference name of the web agent that was specified in agent_name or of the application that is protected by the web agent. ?????????????????????????????????????????????????????/

                       I'm trying to protect /app. appID = app ?

        • CA SiteMinder® uses this value in the web services requests, thus protecting the agent name from the users.
      • enableauth
        Specifies the status of the authentication web service. If you want to use the authentication web service, set the value to yes. -> turned this on
      • enableaz
        Specifies the status of the authorization web service. If you want to use the authorization web service, set the value to yes. -> turned this on as well
      • RequireAgentEnforcement
        Specifies whether the web services must be protected by a CA SiteMinder® agent. Set this value to yes and protect the web services -> left this off for now

     

    In the SPS Proxy UI, I enabled authz web services.

     

    When I restart SPS,  I get the error messages shown above. What am I doing wrong? Any ideas? What type of agent should I use to protect /app?



  • 2.  Re: SPS: Configure Web Services Authz

    Posted Aug 21, 2015 11:34 AM

    Here's the log from sps agent:

    2015-08-21 10:57:32,615 INFO  [com.ca.soa.services.authaz.webservice.Log4jConfigurator] - SM_WSZ_00011 - Starting CA Authentication/Authorization Service

    2015-08-21 10:57:32,615 INFO  [com.ca.soa.services.authaz.webservice.Log4jConfigurator] - SM_WSZ_00012 - CA Authentication/Authorization Service started successfully

     

    Strangely, this log indicates that the Authz services started succesfully...a minute before the server.log shows that they have not initialized properly.



  • 3.  Re: SPS: Configure Web Services Authz

    Posted Aug 21, 2015 12:10 PM

    Additionally, when asked to specify a FQDN for the authz web-services I bound another hostname to my server...is the virtualhost init failing because I'm trying to use name-based virtual hosts? Should I assign my machine another IP address to use address based virtual hosting?



  • 4.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:15 PM

    zestep

     

    when asked to specify a FQDN for the authz web-services I bound another hostname to my server.


    >>>> Make sure what ever VH name you provide, it is a valid one e.g. resolves to an IP Address. If it is your play pen env, then make a host entry before you add the VH name in the SPS UI. A single IP Address suffices.



  • 5.  Re: SPS: Configure Web Services Authz

    Posted Aug 22, 2015 07:51 PM

    zestep

     

    Please check this thread. Re: SPS configuration for Web Services

     

    If there are any queries beyond this, please do let know.

     

     

    Regards

     

    Hubert



  • 6.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 11:48 AM

    zestep

     

    The log show that the resource is not protected.

     

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_AUTHTYPE: Not Protected

     

    Could you paste the XML WebService Request you are sending and also the Policy Domain / Realms we have created.

     

     

     

    2015-08-24 11:39:04,830 DEBUG [com.ca.soa.services.authaz.webservice.rest.LoginService] - Entered login GET request for subResources:app/index.html

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered login()

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getFilterCtxData()

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - appId: app resource: /index.html

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header username: Robm1

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header password: data not shown

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headeraction: GET

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headerappid: app

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headerresource: /index.html

    2015-08-24 11:39:04,831 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Printing Headers

    2015-08-24 11:39:04,832 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header content-type: text/xml

    2015-08-24 11:39:04,832 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header host: afdafdafdsafdsafdfasfsaf.com

    2015-08-24 11:39:04,832 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_TRANSACTIONID: 23bf94cd-f54a9ac8-b9a116f0-aa41e750-8a765bd7-c4

    2015-08-24 11:39:04,832 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header accept: */*

    2015-08-24 11:39:04,832 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header resource: /index.html

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header appid: app

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header user-agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_SDOMAIN: .dp.swg.usma.ibm.com

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header password: data not shown

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_USER:@

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_AUTHTYPE: Not Protected

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header username: Robm1

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header content-length: 109

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header action: GET

    2015-08-24 11:39:04,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_USERDN:

    2015-08-24 11:39:04,838 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Done Printing Headers

    2015-08-24 11:39:04,838 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Exit getFilterCtxData()

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogicBackend] - ProcessRequest returned: -1

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getResponseAttribute

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving getResponseAttribute

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getResponseAttribute

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving getResponseAttribute

    2015-08-24 11:39:04,841 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered populateResponseAttributes

    2015-08-24 11:39:04,842 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: content-type

    2015-08-24 11:39:04,842 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: cont

    2015-08-24 11:39:04,842 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: host

    2015-08-24 11:39:04,842 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_TRANSACTIONID

    2015-08-24 11:39:04,842 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_T

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: accept

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: acce

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: resource

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: reso

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: appid

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: appi

    2015-08-24 11:39:04,845 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user-agent

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_SDOMAIN

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_S

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: password

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: pass

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_USER

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_U

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_AUTHTYPE

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_A

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: username

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user

    2015-08-24 11:39:04,846 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: content-length

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: cont

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: action

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: acti

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_USERDN

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_U

    2015-08-24 11:39:04,847 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving populateResponseAttributes

    2015-08-24 11:39:04,854 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving login() returning: com.ca.soa.services.authaz.webservice.LoginResult@1e99fb1

    2015-08-24 11:39:04,854 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving login()



  • 7.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 11:57 AM

    POST like this:

     

    curl -X POST -d @sendau.xml -v http://host.com/authazws/AuthRestService/login/app/index.html --header "Content-Type:text/xml"

     

    <loginRequest>

            <userName>Robm1</userName>

            <password>*****</password>

            <action>GET</action>

    </loginRequest>

     

    I have a domain called "app".

    realm called "apprealm".

    associated agent = wsagent

    resource filter = /app

    Auth Scheme = Basic

     

    Rules: webagentrules

    resource: /*

    effective: wsagent/app/*

    Web Agent Actions: Get, Post, Put



  • 8.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:10 PM

    zestep

     

    Could you confirm the ACO which we are using for AuthAzWS has the following values set.

     

     

    ACO Name : authaz_aco

     

    DefaultAgentNameagent
    AgentNamewsagent,app1
    EnableAuthyes
    EnableAzyes
    RequireAgentEnforcementno

     

     

     

     

     

    Now the POST Request

    Change that to

    curl -X POST -d @sendau.xml -v http://host.com/authazws/auth --header "Content-Type:text/xml"

     

     

     

    Change the XML Request as per my screenshot, except that the Resource should have /app/hello since your realm is protecting /app/*

    Please make sure the XML Request is complete as per the screenshot with all attributes needed.

     

     

     

     

     

    The primary mistake is the thought process. The correct thought process is we are sending all information in an XML Document to a WebService. All information includes

     

    • AgentName : represented by the TAG <appID>
    • Protected Resource : represented by the TAG <resource>
    • UserName : represented by the TAG <userName>
    • Password : represented by the TAG <password>

     

    All of the above needs to be within the XML Document.



  • 9.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:14 PM

    Why is ACO parameter defaultagentname different than agentName? I have agentname : wsagent and defaultagentname: wsagent,app



  • 10.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:15 PM

    Also, I'm following the Web Services scenarios guide for the REST AUTH/AZ interfaces. I believe the XML I have is correct but will add <appID> and <resource>



  • 11.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:19 PM

    I would recommend using authaz WSDL and then build your request from that. It is much simpler this way, than trying to anticipate / infer from documentation.



  • 12.  Re: SPS: Configure Web Services Authz

    Posted Mar 20, 2017 04:15 AM

    Hubert, I know this is old post but I have some queries here.. Could you help?

     

    Question - How to use wadl to trigger REST calls   



  • 13.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:17 PM

    This is incorrect

     

    defaultagentname : change it to something else - it is like a dummy wa object.

     

    agentname should be : wsagent,app



  • 14.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:22 PM

    I changed defaultagentname for web-services ACO to a non-existant web-agent and got a littler warning message on submission. This ok?



  • 15.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:26 PM

    Now I get return code 500 when posting to auth/login



  • 16.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:31 PM

    enable WATRACE log in SPS ACO please



  • 17.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:29 PM

    create a dummy agent object please.



  • 18.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:36 PM

    I have done this, and also enabled WATRACE. Still see that the resource is not protected for some reason in authz.log.

     

    2015-08-24 12:33:50,711 DEBUG [com.ca.soa.services.authaz.webservice.rest.LoginService] - Entered login GET request for subResources:app/index.html

    2015-08-24 12:33:50,711 DEBUG [com.ca.soa.services.authaz.webservice.rest.LoginService] - Entered login GET request for subResources:app/index.html

    2015-08-24 12:33:50,711 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered login()

    2015-08-24 12:33:50,712 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getFilterCtxData()

    2015-08-24 12:33:50,826 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - appId: app resource: /index.html

    2015-08-24 12:33:50,827 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header username: Robm1

    2015-08-24 12:33:50,827 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header password: data not shown

    2015-08-24 12:33:50,827 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headeraction: GET

    2015-08-24 12:33:50,827 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headerappid: app

    2015-08-24 12:33:50,827 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Headerresource: /index.html

    2015-08-24 12:33:50,827 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Printing Headers

    2015-08-24 12:33:50,827 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header content-type: text/xml

    2015-08-24 12:33:50,827 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header host:

    2015-08-24 12:33:50,827 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_TRANSACTIONID: a49cd4f6-cd294b08-6654f92e-aa39c63e-2dccac32-7a

    2015-08-24 12:33:50,828 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header accept: */*

    2015-08-24 12:33:50,828 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header resource: /index.html

    2015-08-24 12:33:50,828 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header appid: app

    2015-08-24 12:33:50,828 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header user-agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2

    2015-08-24 12:33:50,828 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_SDOMAIN: .dp.swg.usma.ibm.com

    2015-08-24 12:33:50,828 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header password: data not shown

    2015-08-24 12:33:50,828 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_USER:

    2015-08-24 12:33:50,829 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_AUTHTYPE: Not Protected

    2015-08-24 12:33:50,829 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header username: Robm1

    2015-08-24 12:33:50,829 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header content-length: 163

    2015-08-24 12:33:50,829 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header action: GET

    2015-08-24 12:33:50,829 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Header SM_USERDN:

    2015-08-24 12:33:50,834 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Done Printing Headers

    2015-08-24 12:33:50,834 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Exit getFilterCtxData()

    2015-08-24 12:33:50,837 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogicBackend] - ProcessRequest returned: -1

    2015-08-24 12:33:50,849 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getResponseAttribute

    2015-08-24 12:33:50,849 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving getResponseAttribute

    2015-08-24 12:33:50,849 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered getResponseAttribute

    2015-08-24 12:33:50,849 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving getResponseAttribute

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Entered populateResponseAttributes

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: content-type

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: cont

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: host

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_TRANSACTIONID

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_T

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: accept

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: acce

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: resource

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: reso

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: appid

    2015-08-24 12:33:50,850 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: appi

    2015-08-24 12:33:50,851 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user-agent

    2015-08-24 12:33:50,851 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user

    2015-08-24 12:33:50,851 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_SDOMAIN

    2015-08-24 12:33:50,851 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_S

    2015-08-24 12:33:50,851 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: password

    2015-08-24 12:33:50,851 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: pass

    2015-08-24 12:33:50,859 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_USER

    2015-08-24 12:33:50,859 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_U

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_AUTHTYPE

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_A

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: username

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: user

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: content-length

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: cont

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: action

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: acti

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_USERDN

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - key: SM_U

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving populateResponseAttributes

    2015-08-24 12:33:50,860 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving login() returning: com.ca.soa.services.authaz.webservice.LoginResult@def329

    2015-08-24 12:33:50,861 DEBUG [com.ca.soa.services.authaz.webservice.ServiceLogic] - Leaving login()



  • 19.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 11:50 AM

    zestep

     

     

    Enable the WA TRACE LOGGING in ACO which SPS is using - this will show the resource being called. We need to create a realm to protect that resource with Basic Authentication Scheme (to start with).

     

     

    Regards

     

    Hubert



  • 20.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 11:57 AM

    zestep

     

    Here what we need to do.

     

    No need to protect the AuthAzWS URL i.e. /authazws/auth for testing purposes. In Prodn we need to protect this using X509 auth.

      

    Now in the ACO which we are using for AuthAzWS i.e. authaz_aco. Look at the AgentName Parameter. It is wa_authaz_app1,app1

     

    Create a Policy Domain with a realm, with Basic Authentication Scheme, to protect resource /testpage, with rule /* (with GET POST PUT) and associate wa_authaz_app1 to this realm. Add the rule to Policy and allow all users for now.

     

    Then Open SOAP UI and send the following request.

     

    2015-08-24 11_54_53-SPS configuration for Web Services _ CA Communities.png



  • 21.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:05 PM

    I have done this. I have an authaz aco , a domain and realm and the rule as well.



  • 22.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:30 PM

    zestep


    Here's how the mapping should be........... tailor this to your ENV i.e. both Objects created on Policy Server and XML Document.

     

     

    2015-08-24 12_24_31-2015-08-24 11_54_53-SPS configuration for Web Services _ CA Communities.png - Wi.png



  • 23.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:45 PM

    zestep

     

    Let us start from ground 0 again.

     

    1. Could you check the server.log and tell us if all Virtual Hosts i.e. Default and AuthAz have been initialized correctly?
    2. Could you check in smwa.log it show both VH initialized successfully?
    3. Check the screenshot of the logs in this thread SPS configuration for Web Services
    4. Access the WSDL URL on the Browser and tell us if it works. http://hostname/authazws/auth?wsdl

     

    These 4 steps above would confirm if your AuthAz WebService has initialized correctly.

     

     

    If above is all correct and initialized good.

     

    After this it is a configuration issue on

       A. ACO..

       B. Policy Domain.

       C. XML Document or Posting URL

     

     

    Regards

     

    Hubert



  • 24.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 12:50 PM

    Ok. Thanks Hubert!

     

    Steps 1-4) indicate success. THE WSDL appears in step 4)

     

    I think there must be some issue with my configuration.



  • 25.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 01:00 PM

    zestep

     

    Good stage-1 is success.

     

    Now visit this checklist

    1. AuthAz ACO Parameters.
      1. DefaultAgentName : Use a Proper Agent Object which is different from AgentName. The purpose is to act like a dummy agent i.e. if AgentName match fails, then use DefaultAgent.
      2. AgentName : <agent which is mapped to realm protecting resource>,appID
        1. Example : AgentName : wsagent,app1
      3. EnableAuth = yes
      4. EnableAz = yes
      5. RequireAgentEnforcement = no
    2. Policy Domain.
      1. Realm : /app
      2. Rule : /*
      3. Policy : ALL USERs
    3. XML Document
      1. appID : app1            (Refer 1.2.1)
      2. Resource : /app/test.html       (Refer 2.1.1, 2.1.2).
    4. Posting URL
      1. http://hostname/authazws/auth

     

     

    If this still does not work, then we need to match your ACO values, Policy Domain, XML Document, POST URL and WATRACE log.

     

     

     

    Regards

     

    Hubert



  • 26.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 01:12 PM

    I'm using the REST not SOAP interface, or at least trying to.



  • 27.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 01:16 PM

    zestep

     

    Can you download SOAP-UI and test using SOAP-UI first to see if it works. Then build on top of it. This atleast ensures that your configuration is correct.



  • 28.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 01:02 PM

    I have webagents: spsagent, wsagent, and wsagent-dummy. ACO's wsauth-aco and sps-aco.

     

    I'd like to protect a webiste like www.company.com/app.

     

    What do I need to do form here?

     

    Formerly, I had a domain,realm,policy for /app/* and associated wsagent with it.



  • 29.  Re: SPS: Configure Web Services Authz
    Best Answer

    Posted Aug 24, 2015 01:12 PM

    zestep

     

    1. ACO : sps-aco
      1. DefaultAgenName : spsagent
      2. Enable WA Trace Logging here.
    2. ACO : wsauth-aco
      1. DefaultAgentName : wsagent-dummy
      2. AgentName : wsagent,applicationid1
      3. EnableAuth : yes
      4. EnableAz : yes
      5. RequireAgentEnforcement : no
    3. Policy Domain
      1. Realm : /app    (protected using Basic Auth).
      2. Realm : wsagent   (map Agent defined in AgentName to Realm).
      3. Rule : /*
      4. Policy : All Users and associate Rule.
    4. XML Document
      1. <appID>applicationid1</appID>
      2. <resource>/app/testing</resource>
      3. <userName>user</userName>
      4. <password>userspassword</password>
    5. POSTING url
      1. http://FQDN-VH-AuthAzWS/authazws/auth

     

     

    Check the WATRACE log and it should return

    • Agent identified as 'wsagent' using <appID> and ACO-AgentName pattern matching.
    • Resource IsProtected() i.e. /app/testing - should return as Protected.

     

     

    Regards

     

    Hubert



  • 30.  Re: SPS: Configure Web Services Authz

    Posted Aug 25, 2015 10:54 AM

    So, the login and auth services seem to work. I'd like to protect the web services using x509 authz... Any advice on how to do this? I've generated a self-signed client cert-key pair and a tried to set up a valid certificate mapping.

     

    HubertDennis



  • 31.  Re: SPS: Configure Web Services Authz

    Posted Aug 25, 2015 12:00 PM

    Protect the Web Services We recommend that you protect the web services in a production environment. Protecting the web agent of the web services lets CA SiteMinder® authenticate and authorize the web services client before a user request is processed. When you protect the web services in your production environment, CA SiteMinder® SPS includes the SMSESSION cookie into the user request. If the RequestSmSessionCookie ACO parameter is enabled, CA SiteMinder® ensures that the web services verify the user request for the SMSESSION cookie before processing the user request. To protect the web services, we recommend that you configure CA SiteMinder® SPS to protect the web services root URL using the X.509 Client Certificate authentication scheme.

     

    So....do I need another web-agent for the x509 cert scheme?

     

    To protect the web services, we recommend that you configure CA SiteMinder® SPS to protect the web services root URL using the X.509 Client Certificate authentication scheme.

     

    Does this mean I am to protect /authazws ? or literally the root directory / .

     

    HubertDennis



  • 32.  Re: SPS: Configure Web Services Authz

    Posted Aug 25, 2015 12:23 PM

    zestep

     

    I have opened a new discussion to keep the content focused. It helps the wider forum when a search is done for a specific content. Hence "Protecting the WebService" I opened a new thread and lets connect there.

     

    CA SSO : SPS : Protecting AuthAz WebService

     

     

    Regards

     

    Hubert



  • 33.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 02:00 PM

    The SOAP Auth interface works through SOAP UI, over the soap interface. The problem must have been in my own XML payload going to the REST interface. It would be great if the REST interface exposed a WADL corresponding to the WSDL for the SOAP interface. 



  • 34.  Re: SPS: Configure Web Services Authz

    Posted Aug 24, 2015 02:14 PM

    curl -X POST -d @sendau.xml -vhttp://host.com/authazws/AuthRestService/login/app/index.html --header "Content-Type:text/xml"


    This request was bad.


    Here's how to login using REST API:


    curl -X POST -d @sendau.xml -v http://host.com/authazws/AuthRestService/login/app1/app/index.html


    app1 = appID, app = first part of resource URI